BSidesCharm 2025 - Career Campaigns: Changing Your Professional ‘Class’ for an InfoSec Role- Stryker

[Music]

Uh so hi uh I'm Striker. This is career campaigns changing your professional class for an infosc role. This was kind of born of the presentation that I wished I had had when I was trying to pivot in unsuccessfully for quite some time. Uh so this is the things I learned um as told through a D&D metaphor. Basically, we're going to pretend that our resumes are uh D and D character sheets and uh how do you reclass or reskill them? But that's a bit of a spoiler. So, first things first, I have a QR code. Please scan that if you would like to access the folder of all of the materials. This will include uh today's Excel sheets

where you can pick one and play along uh as we go through this particular presentation. You don't have to. Um it will also include all of the reference worksheets that will be at my workshop tomorrow. Uh so, if you guys are going to come, that's awesome. And if you don't, here's the materials. Um, so and also if your personal threat profile does not account for QR codes at a security conference, I'm sorry I don't have much for you. So, uh, first section we're going to go through just again what I used to do. Uh, my attempted pivot and kind of some of the context of the wider infosc hiring landscape at the time. Uh, then we have what I've kind of

coined as an opportunity formula. uh where we get into well what actually how do you actually break in to any job? How do you get any opportunity and what can you change and what can't you change and then fairness in quotes because life ain't fair. Um third uh we'll be literally reclassing the resume. So this is how I personally revised my resume to start getting interviews and eventually a job actually two jobs. Um, so funnily enough, I first presented this at a conference in Canada in October of 2024. A month and a half before I went on stage, uh, my previous employer laid me off. So, I was about to present, how do you break into cyber security, having

been laid off of that job. So, thus ensued the most frantic pivot and attempt to get a job I have ever had. And about two weeks from the day I got laid off, uh it was actually exactly 14 days uh that I got my offer letter from my current employer. I currently work for a major US insurance company within their uh internal uh cyber threat intelligence team. Uh and for the record, what I mention is not necessarily indicative of how we do things at work. Um and is drawn from many of my previous employers. Finally, we'll get into show don't tell. So, how do you classify different types of augmentations to your resume? because you don't have to just reclass it. You

can actually buff it up for the new class you want to take. And then a little bit of interview advice. Uh wherever you see the little icon that like the first uh document, that's the V1 we'll be working with of the resume or the character sheet that I've provided. Uh V2 is the reclassed or reskilled version depending on what you choose. And then every time there's a little D20 there, uh that's where we're going to be rolling. So again, you're welcome to participate. You don't have to be good at uh tabletop RPGs or even know what that is uh in order to do this workshop today, but if you guys wanted to play along, that would be

great. So, hi again. Hi, I'm Striker. Um I spent about 10 years previously in marketing. I know I sent those emails you hated, and I'm really sorry. Um my specialization was actually something called content marketing. That's where you have to research something better than your audience knows so that you sound like you know what the hell you're doing and then you create things of value. I was so far up what they call the funnel. Like I never messed with money. All I wanted to do was help all of my audience with really wellressearched, really in-depth things uh that they could then use in their everyday jobs and then when they were considering for multi-millions of

dollars for contracts, they would think well of my employer. I did that for about 10 years. uh kind of climbed every mountain there. Um did a whole bunch of different roles and I worked at a lot of small to medium-sized businesses where I was the most technically enabled person there. Um and whenever that happens, you end up doing a lot of the work yourself. Um I have personally um uh moved over and migrated entire databases and websites to different platforms. I have done DNS redirects and um pushed a patch to a website on a Friday cuz that's smart and then had to roll back to last known good. I have had to wrestle with the question the man who owns the

company pays my bills and paid for this database wants god access and he forgot to pay the hosting bill last month. This is not a good idea. How do I handle that? So I actually had to do a lot of IT and frankly cyber security things while I was in marketing and I had no idea until I worked for my next employer. So I used to work for a company who was often in the news for breaches from China and I was hired to be their cyber security content person. I discovered in learning more about my new audience, wow, I like you guys way more than I like my marketing peers. and you guys do something good. I wanted

to, if you'll excuse the pun, I wanted to do something good instead of email. Um, so I on my own dime paid for and went to Black Hat, uh, and where I was threatened with death and dismemberment if I talked to any man of the media. Uh, and then I went to Defcon and boy howdy, that was an adventure. And I wanted to I went because I wanted to see if you guys could use somebody like me. And all of my responses, I brought all of my old research. I brought all of the things and kind of just laid it out and said, "Do you want me to people who weren't hiring, which is always a great sample?" And they said

yes. And all of my initial research seemed to back that. Now, this is from the ISC2 workforce study. And again, this is one of the certifying agencies, so of course they have an axe to grind. Keep that in mind. But the estimated workforce, while it only grew about 0 what 7% year-over-year for this last last uh survey, it uh seemed to have more than enough space for someone like me to interfere. there was a gap and this is the gap between the number of current estimated people employed and how many people they more people they need in order to properly secure organizations. This is an estimate and this is what everybody keeps saying. Oh, we need more people in cyber. we have

all of these positions in cyber and you know so clearly there could be room for me and on top of that there were hiring managers in this same survey and others I could cite that said yeah we need more people to get involved in cyber not only that that we need people of all levels of experience in cyber so my personal experience that I had gotten in marketing uh that marketing managers never cared out and just wanted to know how well I could copyright or how how many dollars uh my emails ended up generating. I'm sorry. Um they could use somebody like me who was patching together this experience and just wanted to pivot in. I was

managing people. I've built teams. I've done the whole revenue thing. I was willing to go back to being an individual contributor just to be able to be one of you. Not only that, but of the practitioners in the field, those who had a degree in a field that wasn't cyber security related, that wasn't it, that wasn't compaiized, said they found it useful or had previously worked in an IT position, they found those things useful. I could be useful. And that's all I've ever really wanted to be was useful. Behold the field of mine interviews. Lo, it is barren. Now, this is a little bit arrogant to say um but there is kind of a funny running joke in my um ex's

friend circle that I have this weird magic touch with getting interviews. It was like every year like, "Oh, how's work going?" I'm like, "Yeah, I started a new job." And like again, I'm like, "Yeah, I mean, you can't hop." So, apparently I'm I have a weird odd magic touch with this. So, when I say that I had no interviews, no call backs, I was ghosted. This is weird for me. Again, super freaking privileged, right? And I had a think. And when I had a think, I rage clean. That's the only time my house ever gets dusted. And on a back shelf with a whole bunch of games that I hadn't had a chance to play because I was so busy

studying for exams and and thinking about this pivot, I found an old D20, which I think is in my pocket. I found a d20, which is a 20-sided die. It's used a lot in tabletop role playing games. And I realized I had been thinking about this entirely incorrectly. I was really good at what I did. I had done the equivalent of having like a level 20 bard with all of these really super specific skills, all of these really super specific spells, all of these abilities. and I wanted to transfer in to a warrior barbarian party. They don't they know that I'm good. They can see that I'm useful. They don't know what to do with that,

right? It's like trying to defend a castle with a guitar. I mean, I could totally make up a story about how that would work, but it doesn't immediately bridge that gap when there are so many really good people who do. We're back to privilege. So, I had to use some of that guitar and figure out not only what I needed to add to my resume to make myself competitive, but how do I tell the story about what I used to do? Kind of what I did a little bit earlier, how do I tell that in a resume and in an application so I at least get the shot of talking to a hiring manager. And with

that, here are our character sheets for today. These are bastardized and modernized and very trimmed down. These are Excel sheets that you can download to your phone if you wish. Uh if you access the folder earlier, those are view only. So please do save your own copy on your phone if you want to play. If you don't, that's fine. I'm I have examples here. So I have examples for the softskll professional, which is someone like me, someone from the humanities, someone with that what do you do with a BA in English? Thread intelligence as it turns out. uh hard skills professional. So these are your developers, these are your data science people, these are your

I would dare say cyber security professionals who want to actually migrate to a different niche because they have niched and specialized and not been entry level for so long that now they've just been pigeonholed, not niched, and they'd like to move to something different. So I would recommend using that one. And if you are any sort of student and I include master's degree students right now if you are any sort of student at all specifically comp cyber security please use the third word to the wise I will punish you if you dream big on this. I am your DM for today and I am not playing fair because the job market does not. Again uh if you use the QR code in

any of those it will prompt your phone to go ahead and save it. Save it to drive, save it to files, and then you can open up the Excel and be able to use this during the exercise if you wish. I have screenshots. You don't have to, and you don't ever have to have played before. Also, if you're specifically interested in how to get promoted and using your cyber skills to do that in kind of a different context, I highly recommend you look up West Shepard's Failing Upwards from Bides 2023. That is a lovely QR code to access that on YouTube. It is fully free. highly recommend. All right, so we're going to make up our very first resume as a

demonstration of why I sucked. I'm going to use the soft skill starter here. Um, there will, by the way, be a mixture of screenshots from my personal cell phone and then my computer because I updated this. So, here you go. You'll see here in general stats, this is just who you are to start off with. Everybody has a class debuff of minus3. When I say debuff, I mean every time I ask you to roll, and you have to roll at least this number or higher to succeed at whatever we're trying, as we'll do a little bit more demonstrabably uh during my workshop tomorrow and interactive, we have a whole role playing thing. It's going to be fun.

Um, your background counts against you every time. And we'll get a little bit more into that. So, everybody has a minus three. and not just picking on one class or another. For gender, you can go ahead and pick whichever one you most present as right now. Or you can roll. And if it's odd, uh I all each of those categories with the underline is a clickable hyperlink to a dice roller because I did not want to play ping pong all over the floor. Um if you end up rolling odd, you're male and if you roll even, you're female or presenting. I'm well aware that gender is more than a spectrum. This is for de demonstration purposes. So,

uh, race, you can be an elf or a dragon born. This is pretty much the remnant of my fantasy, uh, original version of this, which was very allegorical. Uh, if you roll an even, you're an elf, and if you roll an odd, you're a dragon born. Or you can just pick one because it's cool. Hey, look. I think some of you are starting to understand just based on what you've rolled that doing this is really hard and I have weighed my worksheet accordingly. Not only that, most people are coming up through an IT position. Most people have a bachelor's degree in compsai or in cyber security. the days when you could get by on just your portfolio alone, especially

in this job market, which has laid off a ton of really talented people that you're now competing for and competing at levels and skills and roles that previously they would just skip. My god, this is not going to be fair and I'm really, really sorry about that. Which brings us to this as I explain why you guys see the negative debuffs on your character sheet that you see right now if you're playing along. And I'll show you them here too. Opportunity is basically equal to luck plus preparation. And then every time you fail, you just try again. So it's multiplied by the number of attempts. The more times you try, the more bites at the apple you ultimately get.

There are environmental factors that can give you There are things you can do and things that you are that give you an advantage. There are things you can do and things that you are that just don't give you a disadvantage. There are things that you do and things that you are or were that give you a really big disadvantage. my previous marketing degree, excuse me, my previous marketing uh legacy, my career, that's 10 years of awards, of metrics, of all of this, my portfolio, most of it was junk because you guys really hate marketers a lot. I don't blame you. I truly don't. I'm sorry again. I I'm like apologist here. That weighed against me.

Everyone could see what I had done previously and they judged me before they had a chance. I had to compensate for that. It wasn't right. It wasn't fair. But I had to be that much better than every other option that they got through the door to be able to even get my shot. And again, it's not right. It's not fair. It is what it is. And you guys have to find ways to weigh the balance in your favor if you really want this to work. So luck in part are those things that we are or can be perceived about us that we cannot change. I could not change for example the fact that I'm a girl or I

present as one. I am How many white men do you know in cyber? I rest my case. How many white people do you know in cyber? A little bit less, a little more even, but even so. Race and gender give opportunities or really don't give a disadvantage depending on what you have. It's not right. It's not fair. But you have to acknowledge those. And it's not every team, right? It's not every community. It's not every organization. But assume the worst here. There are also environmental managers that you get that don't weigh against you. When I was trying to do my switch, I have a small child. He's five and crazy. Um, was in Adora the Explorer

mode when I first got my website. So, striker, no striking. There you go. I was still married at the time. That meant I did not have the bills I have now. I had more free time. I had more benefits and resources and people I could lean on while I did hyperfocus on all of my exam studies and I could pay for these hundreds of dollars of exams and thousands of dollars of going to conferences that really made the difference for me to be able to break in. That was a bonus that helped a lot and I'll show you how here in during this exercise that was not something I could change at the time. It just was an

advantage I had over other people in my position. You guys each have something. I don't know what it is. Think about it. What advantages do you have in your situation that you can use in your favor or appreciate the ones that you didn't even think about? Preparation of course though are those things that we can change. I have a starting class of -3 because I used to send you emails that you hated. However, in increments, I could do things and modify my resume enough that I could at least counter out that negative debuff. Yeah, she might have been in marketing, but look at all this other stuff. That's how you do this. And I'm not telling you it's going to work every

time. I'm not telling you I'm going to make it you're going to get it like 50% of the time. No. All I'm doing is letting you weigh the dice in your favor. That's why you have buffs and debuffs. and we'll talk about the different things you can add and the ways in which you can think about that. All right, so it's time to apply everybody. If you filled out your starter stats, you are ready to apply for your first job. This is to demonstrate how freaking hard it is to do this without modifying your resume. Uh go ahead and roll. You have this is a check of at least 15. So you have to get at least a

15 or higher in order to score properly. You'll notice that when I did this as an example, my starting modifier was seven. That means in order to get a 15 or higher, I would have had to get uh I think I would have had to have what? 17. No, more than that. 22. Thank you. I remember thinking this one was impossible and my brain just shut off. So, let me roll and see how good I do. 10. Three. I don't even get a Sorry. I just get ghosted apparently. Great. All right. There are however things you can even do now. Please raise your hand. And you may not cheat now. I'm watching. Did you introduce yourself to

someone in this room? Did you say hi? Raise your hand if you did. Someone new. Hands went down. All right, you guys. For the rest of the game, you can reroll. Networking, making new friends, meeting people. This is one of the most powerful things you can do in this community. This is a community. That means people make it up. And I'm not saying they're going to get you an in. I have never, by the way, gotten a job from a referral. It's all been called applications on LinkedIn. My co-workers had no idea who I was coming out of nowhere. Hi, sorry. What they can do for you is to look at your resume and give you some

insight. They can keep an ear to the ground and if they have they see something that you might be good for, they can send it to you. They can lift you up and make sure that you're feeling okay when you're looking for a new job. These are the pe they can tell you when you're wrong. That's really powerful. I had to correct so many things about this presentation and my workshop that were wrong. I got very clearly told how I was wrong and incorrect in several very good ways. So, the recommendations and if you downloaded the worksheets, you'll notice that I have lists of projects. I have lists of different um adjectives you could describe yourself as and things to

lean into. I have a list of certifications you can consider. Those were all vetted by people way smarter and more senior than I. Don't don't let please. We can argue all day long about why isn't this on there? It's just an example. But if you said hi to someone, you're allowed to put yes in this little drop down and then you can reroll. And you know, since I did that, I cheated. I knew this was coming up. 14, which is still not 22 on a 20-sided die. Wouldn't have helped anyway, but you know, at least I got a little higher. All right. So, one of the biggest ways in which you can break in is by actually

liking the field. People smell people just looking for money. And it's not I mean, I'm not doing this for free. I'm doing this for free. I'm not working for free. That's important. But passion goes a really long way in this field where things are changing constantly. You have to constantly be learning. You you never stop. I don't care if you got your degree this year. What have you done in the last 3 months because things rapidly change? I'm looking at different thread actors at work than I was what, two weeks ago. Two weeks. Yeah, that was when we got that one. Yeah, that's how fast this changes. Only people who care will be able to keep up.

So, how can you show that you care in your resume? All right, so you guys ready to actually get through the door? This will be exciting. All right, there's four steps to reskilling your resume. The first is niching down. How many people Okay, raise your hand if you have said this. I want to get into cyber security. And then you have a friend who goes, great. What do you want to do? And then you go, "Yes." Can you raise your hand if you've said this or had someone say this to you? I'm really sorry. I once sent a friend who, oddly enough, worked in thread intel. Um, I'd met him. I had him over as a as a webinar speaker at my my

cyber security employer and I'm like, "Yeah, I really love doing I love being with you. I I think I can do this." He's like, "Great. What do you want to do?" I literally spent 45 minutes sending him 10 text messages that were like two paragraphs long. My coworker will also attest that I could totally do that. He later admitted he read none of that. And he said,"Great, you need to pick one." So, you pick a specialization and you just pick one for fun. This is the start. Okay? You can be wrong here. I thought I wanted to be an auditor. You think I could really just, you know, check it off and then tell somebody,

"Yeah, you've got these things wrong. I'm not going to tell you how to fix it because that's liability. But, you know, you have them wrong. You know, I would die. But I thought I wanted to do that. And so, it's okay if you're not right the first time. But, you have to try and pick something. Then, you're going to analyze the different job postings in that specialization. You're going to see how many of the skills do you already have from whatever you previously did, student, other employer, whatever. And then you're going to look at what do you still need to do, what is achievable versus what isn't. And then you're going to make sure your resume

has those keywords. Yay. Search engine optimization coming back to help. Right. All right. These are actual job postings that I found best last October just for fun to look through. Um, and things in green are things that I think I have. I like to think I'm a strong communicator. You guys can be the judge. I think we have speaker reviews. things in red are really things that I cannot do and I would be dumb to try by my own personal opinion at least given the time that I have for example I can understand it infrastructure and networking given time given lots of Googles and harassing my co-workers about things I cannot do it quickly when

you are a sock analyst dear god you do not have time to be like hey I forgot what port that Because can you tell me like you don't have time? I would be a terrible sock analyst and that is traditionally one of the most entry-level positions in this non-entry level field you can think of. That is not where my skill set lie which meant that I had even harder road to ho road to ho. There we go. You're also going to find things like cyber security consultant. This was by the way listed as an entrylevel position. about half of job postings that I analyzed in a sample last October were at least one level junior uh a senior

excuse me to what they actually advertised. This is where you get your entry level five years experience and CSSP uh your CIP encouraged. That's where you get this from. Uh this was not acceptable. I could totally assess, manage and mitigate risk. I had done so in a different context and it was a pretty simpleish relication of those previous skills where I was assessing risk for multi-million dollar campaigns. On the other hand, I definitely could not lead implementation of cyber security requirements. That was this is off the table. I could not do that. It would be irresponsible of me to try. But then after some time, intelligence analyst. I mean, look, I can totally synthesize data and help with alerting

services. I had done that repeatedly. Content marketing is all about research and how do you find the data within it that your audience needs and put it into a format that they can most use. Boy, that sounds familiar. I can also identify threats to reduce risk. tell like let me explore and see what the baseline is, what we have to work with and then I can use those variables to figure out what is most pertinent. Yeah, I can do that. I can definitely find pertinent factual information that yeah, however, I could not or at least immediately couldn't prove that I could support monitoring engagements. I couldn't prove that I had was able to find new collection sources

and specifically in named software. I had never had the chance to. So I had started to collect a list of skills and qualities and technologies that I needed to at least be familiar with, know what they were supposed to do, and how I could very quickly get up to speed if I ended up being employed. So, going back to our lovely character sheet, it's time for you guys to niche down. Pick a specialization. I have a drop-own list of for each character class of what has been communally considered reasonable next steps. Now, you guys can shoot for the moon and do whatever you want. You can c you can put in something else that I didn't think

of. That's great. Good for you. Have fun. This is an example. You can always find exceptions to the rule. Don't at me. So, depending on what you pick, it's either going to be a reskill or a dual class. So, click to go to the appropriate tab in your worksheet. You've probably already seen that I've been not nice. Reskill is a lot harder. This is because there's less crossover of your previous skill set. It could also mean more advanced training. Like for me being a sock analyst would have been a recclass. It would have been a reskill because I simply did not have any of that and I would have had to get good enough to be qualify for those

interviews before they would have let me through. It also is popular. Who here put pentester? Who wants to not fess up to that fact that they put pentester? Let me let me give you some advice. Pentesting is not Mr. a robot pen testing is not darknet diaries for the most part. I mean, it's cool as hell. I love that podcast. That's maybe like 5% of your time if you're lucky. The rest of the time, you are writing reports. You are trying to convince bureaucrats with budget that you should spend on a cost center that they don't actually care about until you find the exploding doll head. And if you want that reference to the Darknet Diaries episode, I will be

happy to give it to you later. Until it's a liability, they don't care. And your scope of work probably limits you from actually proving that completely because you're working on an active production line to break in. I mean, they don't want you shutting down the surgery laser in the middle of an actual surgery if you're pentesting a hospital. Plus, because everybody else wants to do it, it's that much harder for you to get in and wages are suppressed. So, I will punish you. I'm really sorry. Yeah, I know. But if you can still succeed despite that punishment, maybe. On the other hand, dual class is an easier next step and something I would highly recommend people consider.

This has more and clearer crossover of your previous skill set. This could also be doing your current role at a security related or I had accidentally done this when I started doing content marketing at a cyber security vendor. I was encouraged to do the kind of research in cyber security. learn the systems, learn the lingo, understand the ramifications so that I better understood how our products and services fit in. But I just thought it was cool and it made transitioning to my next company in an actual cyber security role a lot easier. So consider that if you're having trouble. These are also the less popular roles. If you're struggling and you have the requisite skills, consider an MSP,

MSSP, a sock analyst kind of role, maybe even a bad shift. That's going to be a great entry round. You're going to see a lot of different environments and one or two years in the meat grinder, you can go elsewhere or at least get a better shift. It's going to take work, but that's going to be the easier next step. Not most desirable, but easier. From there you can see that each of the reclasses or the dual classes differ slightly. I have made the debuff worse if you have picked reskill because it count your previous career counts more against you if you decide on this route. I have also made it so that your previous abilities are worth less. So

you carry over your primary ability from your previous class to use in an answer. It is however worth less. It is still a positive modifier, but instead of a two, it's a plus one because again, they don't value that as much as that very niche role if you've gone for the harder route. In a dual class, your debuff is still existing. I mean, I don't think anyone's still really enthusiastic. I had a marketing background, but like they can kind of understand it. They can squint and turn their head and see how that worked. From there, my previous ability still counts the same. This is one of those no disadvantage kind of moments. Your second step when you want

to reskill your resume, and this is one of my favorites actually. Find your unique angle. Soft skills are important people. We'll get to that in a second. Ask your co-workers and your classmates. And it has to be your co-workers and your classmates. It cannot be your sister. Sorry, Abby. It cannot be your family. It cannot be people who have not worked with you in some capacity. You have to ask the people who have worked with you within your current role, even if it's not related to this. What makes me good at blah? Why do you think I'm good at blah? Great place for this, by the way, are your regular reviews, where your manager has to put

that in for HR. Go ahead and get that. You need to gather all the reviews and compliments you get. When somebody slacks you, hey, thanks so much for doing this. this really helped. Screenshot it and put it in a sunshine file. I whip it out on cloudy days when I feel like I'm an idiot to remind myself that yes, I actually do know what I'm talking about and this was just a bad day. Then you need to triangulate. You need to compare. So get two or three people to do this. See where they with no prompting have said the same thing over and over again. Those are the things that you can personally lean into

on your resume or in an interview conversation on your LinkedIn profile, which yes, if you don't have a LinkedIn profile, please get one. I don't care if you don't put your real head, but like have one, please. Please. I know it's awful. Just please. Um, you can lean into those qualities and know for sure it's not just you being optimistic about what you're good at, it's what other people think you're good at, too. This is really important. because there's a lot of non-technical skills that hiring managers specifically think are valuable on a team on a cyber security team specifically. Raise your hand if you personally or have heard of someone another hiring manager have somebody come through who

was really good at technical work but they didn't get hired because they were an ass. All right. I've not been hired because I was an arrogant person at some point in interview process and I look back and cringe really hard. I was overcompensating for my insecurity in that part. Soft skills are important. They will prevent you from being hired. Take it seriously. And if you're not good at it, don't just say, "Me, who needs it? I'm good at the technical stuff. Just put me in a corner and I'll grow mushrooms on my hacker hoodie." which I mean, yeah, but we'll get to why that's important, but in short, by the time you get to an

interview series where they can assess your soft skills, they're not just looking at, can you do the job? They've seen that on your resume. They're more looking at, do I want to work with this person? Be someone other people want to work with. This was a really lovely compliment that somebody actually screenshot to me. Um, so at my first cyber security role, uh, I was the head of communications, uh, security communications and planning for a thread intelligence and research group at an MDR. I was in charge of helping to put together materials narratively uh, to make a CTF make sense. We told a story with our CTF. It was using the product. So, I was really trying hard to make it

like universally applicable instead of a very clear demo. I I tried. One of those things though was that they asked for my help to put together a trailer um based to to advertise on LinkedIn because nobody else wanted to do it. Okay, fine. So, I put it together. I had previously worked um with freelancers, so I knew how to put together a creative brief. I knew how to put together instructions for someone so that they could follow what I wanted and I can yeet that thing over the fence and they won't bug me. I've put in all the work. you have all the answers. Please let me do the actually important stuff now. Turns out this was one of the best

instructions they had ever gotten. And my friend was like, "Yeah, did you hear how good that like I'm like they just haven't bugged me. I assumed it was all okay." They screenshot this and gave it to me cuz they were talking in the back channel about what a nice job I had done on this. One awesome co-orker. God, thank you so much. And two, I kept this for a sunshine file so I could remind myself when that same job laid me off about eight months later that I was good at what I did. And three, it told me that one of my skills un unsolicited. It told me that one of my best skills was being able to lay out

documentation to extract the important bits and communicate information to someone who is not technically skilled to understand what they needed to do, why that was important and execute. marketing had our marketers had no idea how any of our tech worked or why this was relevant. That was half of the brief and they did a bangup job on it. Honestly, it had a flaming green skull. It was really cool. So, for the sake of this exercise, and of course you guys all have more than one, but for the sake of this exercise today, pick one quality, one soft skill that you think you have. You don't have time to do the triangulation, but these are, by the way, a list of skills and

innate qualities that my hiring manager friends who have hired in cyber, which I have not done, have considered to be important in hiring. So, if you're looking for a soft skill to to try and perfect, pick one of these or to demonstrate. By the way, kind is just the rule of don't be a

dick. From there, the third step is going to be doing victories over test. This is a bit of copywriting advice for you. And if you have not, and I swear I'm not sponsored, Allison, if you want to change that, one of the most formative books I ever received was a PDF that I paid 25 bucks for from some blogger who just self-published on her blog. 25 bucks and I got a PDF called How to Get a Job. Allison Green also runs the ask a manager.org blog. Fantastic. In it, she provides this particular copy formula which I have used to very great effect. And this should get you started on thinking your resume, your materials, what you talk about. Oh, what do I do

for a living? Don't talk about a job description. You are just like every other blankfaced person in this resume stack. If you do that, you talk about what makes you different. You talk about what you have succeeded and what you have done and what you have accomplished. That is what makes you different. And if you can't think of that, you need to start really thinking now and gathering evidence. Again, your sunshine pile is a great example for this. So, you did X using Y as measured by Z and Z should be some sort of number. Uh my co-workers will tell you I harp on numbers. Prove it to me. How did this work? How did this happen? What was

the impact? Prove it. Estimate and flag if you're estimating. Don't try and exaggerate. Do not lie with this. We're in cyber. It happens. So, the first I could have picked a lot of different examples, but my first resume was covered in things like that. No wonder people didn't call me back. I had to revise my resume to show that I was able to do data analysis. So I don't think at any point anyone who's hired me has actually cared how much revenue I brought in. That's a marketing metric. However, it shows that I'm able to use data to speak persuasively. It means that I can measure impact. Not only impact, but I can measure dollar

impact that impacts the business, which is in thread intel really important. This is a great way by the way that I am showing that I am data driven and logical. Not just saying in a summary, I am a data driven, logical person. Make sense? And now we're back to proving it. On the right is a screenshot of my portfolio, which was the last page. I had three pages of my resume that I typically submitted, 10 years worth of work. It took a minute to like, you know, consolidate. I I had earned those two pages at that point. But that third page was just this nicely printed table proving of all of the publicly available evidence I could provide that I could do

the job. I had done the things. This is an example of all of the work and ways that I can perform. I'm not just telling you that I wrote emails. I'm showing you. I'm not just telling you that I produced webinars. I am showing you. I'm not just telling you that I accidentally wrote up thread intel profiles without actually knowing that that was what that was called or why that was important. I'm showing you so you get to pick one. And this and now we're at two augmentation of your resume. This is how you prove that you can do the work because it's not enough to just want to pivot into cyber. You have to prove that you can do it. You

may pick one. And before we get on me about certifications which very briefly I have uh badges which is your inerson conferences in person for that networking element. We have certifications which are or exam passes frankly I have twoerts and five exam passes because I don't have the time in industry yet to have theert. I certainly haven't spent five years auditing to get my CISA even though I passed the exam and realized halfway through that I would never do this professionally. That was a waste of money. Oops. Better now than later. Um, and then projects, personal projects. What are things you do in your off time to prove that you're passionate and curious and continuously

learning? We're back to that's the differentiator if you want to break in. You're not jaded. You want to continue developing. So before we get into and knowing that this is drawn from a research project um that has a certification process. So take it with a grain of salt. But certifications are valuable because they prove knowledge. They don't prove experience unless you're certified. But the passing of the exam proves knowledge. And when you're pivoting in from a different career, knowledge is the thing you need. You'll also notice here that I'm limiting you to just one, though, of course, you can augment your resume with as many as you want in real life, as many as you have time

for. And I put gold. Each one gold next to each of these selections is worth about 100 USD. You are limited in money. You are limited in time. Choose wisely. So now we can reroll. And that's taken our initial starting modifier from ag -7 to a negative -6 which makes it possible if I get a 19 or 20 still very very high and you have to try a lot of times to get that break but now it's possible instead of trying to roll a 22 on a 20-sided die. I just said I would help. I can't guarantee anything especially in this market. Dear lord I got an eight though. Oh well. All right. So, let's pretend for a

second that I actually succeeded, which I think I've done once in practicing all of these. Let's do some interview advice quick. Relax. If you got through HR and you're on to the hiring manager round, we are back to the do I want to work with this person? Make it so that you're someone they want to work with. Doesn't mean suck up. That means don't be a dick. If you're struggling with this, not that it's ethical to use social engineering for this, but charisma on command is a very interesting channel. And that's where I'll leave that. Also, pause. Don't try and be fast with your answer. Think for a moment. Pause. She says to herself. Think through and be logical

and direct and walk someone through your response. If you've heard of STAR interview, it's a situation, task, action, and result. There's a similar acronym in the DoD uh which I don't remember offh hand uh but it's the same thing. Thank you. You can usually um tell that you're about to get one of these because it's tell me about a time when they wanted you to tell a story. So tell them a story. Start at the beginning. What was the context? What were you trying to do? What was the challenge or the villain or the bad guy you had to overcome? And then what's really important here, think like our lovely Skyrim guard. What would you have done

differently next time? Because you'll see it again. Make sure that they know that you can think through your problems. If you get a challenging question, ask for clarification. oftentimes you can I'll try and reframe the question or ask them to say it in a different way and they'll give you more clues about how they're thinking about the question that you can try and respond to that rather than directly the question you don't know and since you're pivoting in you will admit when you've not done something or you don't know and explain how you would approach it. In the gauntlet of interviews I did for my current position I had a co-orker ask me about something and I blinked on the

pyramid of pain. I had literally just looked at that and I could not remember the term. I described it really well. I could not remember it and I felt like an idiot because it's really basic. I still got the job. Even though I admitted I didn't know something, something really easy. But you should also explain how you would find it. I don't know, but I would start here. I don't know, but this is what I would try and search for. And this is what I would try and look. Security is all about unknowns. If you don't know how to find your way through an unknown to a solution, you're not going to be a good security

person. So, I would challenge you all to think about this question because this is a really good one. How would you prioritize a list of critical CVEes for patching a remediation? And now you roll. You got to get over an 18. Uh, yeah, that's a check of 18. Got to get over an 18. might be possible, might need not. And if you get a reroll for anyone who's got a reskill class, you can only draw from think about how a session here gave you the information or an approach to answer that question that you wouldn't have had otherwise. If you're dual class, you can now talk about your previous job experience because it's not as much of a weight

against you. So very quickly um again you can go there and you can get the uh worksheets that we'll be working through at my workshop tomorrow uh for you guys to have in reference. Opportunity equals luck plus preparation multiplied by the number of attempts where there are things outside your control and in your control. It's not right. It's not fair. But you have to be that much better and you can. You have limited resources. Please use them wisely. Don't try and do everything. Do the things that matter and that you're good at. And then finally, you need to prove you can do the work. I'm not here advocating for just any random person to get in. You need to prove you can do it,

not just say it. And that certifications can help with knowledge. They do not prove experience. So go to net conferences and network with people. Work on personal projects. I accidentally made a tip a threat intelligence platform before I knew what that was. cobbled together with some very weird Zapier automations in Feedley because I got tired of losing links. But I did that and that was really cool in some of my interviews. And with that, I wish you nothing but D20s. And I don't know if we have time for questions. We do. Head nod. So, thank you all so much. Uh and uh if you have questions or would like a D20, um how do we do this? I don't I

don't know. Uh, anybody have a question, comment, concern? Yes, sir. Where they at? All

right. And also we got spend a lot of time. Do you have any suggestions for like how to balance the Yes. Okay. So, the question was, I'm a master's degree student. They're booking my time way much. How the hell do I balance the technical stuff I'm being asked in my master's program with the soft skills that I'm recommending? I'll be honest, practice making friends. And this is weird, I know. I purposely picked my undergrad. I started off at Penn State University main campus, which has 40,000 undergrads. And I figured if I screwed up making friends, there was always another person I could try with. That was literally my logic. Wow, that was sad. But I learned

how to approach someone and how not to. You learn how to do interviews by doing more of them. So take the people around you and practice reaching out. Practice being kind or patient or think of ways you can do it within your classroom. A great example is if your professor offers office hours, go. They automatically like you because they're bored as hell. And just practice listening. I think that's another thing, too. Cyber security, as much as I've been talking up here, active listening is really important. Not just hearing what you want to hear and waiting for your chance to talk, but absorbing what they say and responding to that and then asking them a question in turn. Those are two really

easy ways that you can practice your soft skills even when you're super busy. Beyond that, again, charisma on command. It's pretty fun. I reverse engineered green flags for um being asked out on dates. It was weird because I wanted to like stop. Long story is lots of applications there. Anyone else? Yes.

Uh there are many personal projects you can do uh in the character sheets um that you have for Excel. there's a whole dropown list of any of them and a lot of them you can do for free. Um otherwise uh uh the there's a whole list of different ideas and personal projects in the worksheets for the workshop tomorrow. Uh in terms of personal projects though, again, I wrote threat profiles in my previous research that I didn't think were relevant. Um I didn't realize what they were at the time. So I featured those things. I featured things from my previous life that cyber security people could or should care about. Not necessarily the entire repertoire. Not everybody needs to see

what a wonderful job I did on branding for example, but you know the webinar that I held on, you know, generative AI for infoscond hackers that I produced, that's probably pretty relevant to feature. So think about the things in your previous life that you've done. Think about things that are free. And that's another opportunity for networking. Partner with people who are smarter and better than you and ask if you can help or learn. You not only get a by line on that but you get help. Uh no last question. Yes.

Yep. So, great point, too. And that's actually one of the personal projects listed on the list, and you just reminded me, volunteering. Um, I met someone just today uh who is it's her first uh besides charm and she is volunteering as as physical security staff. What a wonderful thing. I mean, that is just remarkable. I wasn't brave enough to submit to this conference until I went last year um for the first time, but volunteering is a great way to give back to the community, show you're dedicated, get a free ticket in for when you're not working, and it gives you something really lovely to put on your resume. But more than that, the things you learn at

a conference, the people you talk to, they're going to be the difference, and they're going to probably be the difference between a failure and a success. So really consider how you're going to become part of the community and what you can add to it. Again, I wish you all many 20s. Thank you so much for coming.